Restrict su access to privileged accounts in Linux

You can download this article in PDF format via the link below to support us.Download the guide in PDF formatClose

How to restrict the use of su command to only privileged accounts (such as the Admin user group) on Linux? The su utility requests the appropriate user credentials through PAM and then switches to that user ID (the default user is the super user). In this article, we will study how to configure pam to restrict su to certain users only on Linux systems.

We will create a group and restrict the use of su to users in that group. PAM Used to set the strategy that su will use. It can be configured to allow different user groups to access specific target UIDs through su. The PAM modules required for this operation are:

  • pam_succeed_if
  • pam_wheel.so
  • pam_listfile.so

What we will accomplish at the end of this guide:

  • Create Linux group call System administrator
  • Configure PAM to allow users from group permissions to use su
  • Use su to switch to any other user will fail

Step 1: Create a group and add users

First create two Linux groups, System administrator with Database administrator

sudo groupadd sysadmins
sudo groupadd dbadmins

Create three users, one called Administrator 1And the other is called dbuser1 At last Test user 1

# Create admin1 user
$ sudo useradd admin1
$ sudo passwd admin1

# Create dbuser1
$ sudo useradd dbuser1
$ sudo passwd dbuser1

# Create testuser1
$ sudo useradd testuser1
$ sudo passwd testuser1

Assign the admin1 user to the sysadmins group.

sudo usermod -G sysadmins admin1

Assign the dbuser1 user to the dbadmins group.

sudo usermod -G dbadmins dbuser1

By checking the output of getent, confirm that the user has been correctly assigned to the relevant group:

$ getent group sysadmins
sysadmins:x:1001:admin1

$ getent group dbadmins
dbadmins:x:1002:dbuser1

Step 2: Configure su PAM policy

Create a new file /etc/security/su-sysadmins-access file and add the target UID that allows users in the sysadmins group to access. su command:

$ sudo vim /etc/security/su-sysadmins-access
root

Create another file /etc/security/su-dbadmins-access and add the target UID that the users in the dbadmins group are allowed to use. su command:

$ sudo vim /etc/security/su-dbadmins-access
postgres
oracle

Limit write access to the created file to only the root user.

sudo chown root:root /etc/security/su-sysadmins-access
sudo chown root:root /etc/security/su-dbadmins-access

sudo chmod 0644 /etc/security/su-sysadmins-access
sudo chmod 0644 /etc/security/su-dbadmins-access

Confirm permissions:

$ ls -lh /etc/security/su-sysadmins-access
-rw-r--r--. 1 root root 5 Jan 30 10:19 /etc/security/su-sysadmins-access

$ ls -lh /etc/security/su-dbadmins-access
-rw-r--r--. 1 root root 16 Jan 30 10:20 /etc/security/su-dbadmins-access

Configure PAM by editing the file /etc/pam.d/su

$ sudo vim /etc/pam.d/su

Add the following line:

auth              [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup sysadmins
auth  required    pam_wheel.so use_uid group=sysadmins
auth  required    pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-sysadmins-access
auth              [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup dbadmins
auth  required    pam_wheel.so use_uid group=dbadmins
auth  required    pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-dbadmins-access

What does the change mean:

  • Members of the sysadmins group (admin1) can only be su as the root user.
  • The members of dbadmins (dbuser1) can only use postgres and oracle

This is what the su file looks like:

#%PAM-1.0
auth              sufficient     pam_rootok.so
auth              [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup sysadmins
auth  required    pam_wheel.so use_uid group=sysadmins
auth  required    pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-sysadmins-access
auth              [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup dbadmins
auth  required    pam_wheel.so use_uid group=dbadmins
auth  required    pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-dbadmins-access
auth              include        system-auth
account           sufficient     pam_succeed_if.so uid = 0 use_uid quiet
account           include        system-auth
password          include        system-auth
session           include        system-auth
session           optional       pam_xauth.so

Step 3: Test the su PAM policy

Log in as the admin1 user and use su to try to change the UID to the allowed root user.

$ ssh [email protected]
[[email protected] ~]$  su - root #enter root user password
Password:
Last login: Sat Jan 30 10:17:26 UTC 2021 from 172.20.11.12 on pts/0
[[email protected] ~]# exit
logout

Log in as the dbuser1 user and use su to try to change the UID to the allowed postgres user.

$ ssh [email protected]
$ su - postgres # the user should exist before

# Or
$ su - oracle

Log in as the testuser1 user and try any su-it should fail

$ ssh [email protected]
$ su - root
$ su - postgres

You can download this article in PDF format via the link below to support us.Download the guide in PDF formatClose

Sidebar